Security Alert: Jaff Ransomware Operation Tied to Cyber Crime Marketplace
Jaff ransomware, one of the newest and fast-rising strains, has been sweeping the world in the past month. As it turns out, the operations behind it run much further than malicious data encryption.
While analyzing a recent variant of Jaff, researchers have uncovered that this ransomware type shares server space with a refined cyber crime web store.
As observed in previous campaigns, the Jaff ransomware infection starts with a malicious PDF, which, when opened, prompts the user to click on an additional file, while triggering the infection in the background.
jaff ransomware malicious PDF
By following the trail and digging deeper into cyber criminal infrastructure, researchers discovered the web shop that provides access to tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address.
Malicious hackers can use Bitcoins to purchase stolen credit cards, some of which have already been verified, and compromised accounts on Paypal, Amazon, eBay and many more.
Prices per item vary from under a dollar to several Bitcoins.
Access to the marketplace doesn’t include a vetting process, making the barrier to entry quite low for malicious actors of all kinds.
What’s more, the shop also includes filters, so the buyer can find the targets with the most lucrative potential. For example, the screenshot below shows that the compromised accounts from New Zealand bank ASB listed in the shop total up to $275,241.
Banks from all over the world are listed, ranging from German financial institutions, to US and Australian ones. The highest volume of compromised records appears to originate from these countries: USA, Germany, France, Spain, Canada, Australia, Italy and New Zealand.
Other types of user accounts that include financial data are available as well. Unsuspecting Internet users who have shopped online at Apple, Bed Bath & Beyond, Barnes & Noble, Best Buy, Booking.com, Asos.com and many other ecommerce portals can become victims of cyber fraud or other types of malicious activity.
This doesn’t mean that those specific web shops have been compromised. Cyber criminals use a wide range of tactics to get into victims’ accounts, often focusing on breaking weak and/or reused passwords.
Black hat hackers can not only harvest financial data from these accounts, but also use them to make purchases through them.
Credit card data remains one of the hottest commodities in the malware economy, providing easy access to cash, which cyber criminals can then turn into untraceable Bitcoins.
The server used for these criminal operations is located in St. Petersburg, Russia and is hosted on 5.101.66 [.] 85 (sanitized for your protection). The same server is also part of the infrastructure that fuels the Jaff ransomware attacks that have been sweeping across Europe and the rest of the world.
The cyber crime marketplace uses the following domains (sanitized for your protection):